From 7c089f71667a1a14cc508772ca289d4d1d2edd27 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 9 Dec 2013 08:11:16 +0100 Subject: Configure the content filter. Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay) --- roles/IMAP/files/etc/amavis/conf.d/05-domain_id | 20 +++ .../virtual/transport_content_filter_maps.cf | 4 +- roles/IMAP/files/etc/spamassassin/local.cf | 118 ++++++++++++++++++ roles/IMAP/files/etc/spamassassin/v310.pre | 78 ++++++++++++ roles/IMAP/files/tmp/spamassassin.sql | 57 +++++++++ roles/IMAP/handlers/main.yml | 19 +++ roles/IMAP/tasks/amavis.yml | 56 +++++++++ roles/IMAP/tasks/main.yml | 2 + roles/IMAP/tasks/spam.yml | 51 ++++++++ .../etc/amavis/conf.d/15-content_filter_mode.j2 | 29 +++++ roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 | 135 +++++++++++++++++++++ roles/IMAP/templates/etc/postfix/main.cf.j2 | 3 +- roles/common-LDAP/tasks/main.yml | 21 +++- .../templates/etc/ldap/database.ldif.j2 | 22 +++- 14 files changed, 607 insertions(+), 8 deletions(-) create mode 100644 roles/IMAP/files/etc/amavis/conf.d/05-domain_id create mode 100644 roles/IMAP/files/etc/spamassassin/local.cf create mode 100644 roles/IMAP/files/etc/spamassassin/v310.pre create mode 100644 roles/IMAP/files/tmp/spamassassin.sql create mode 100644 roles/IMAP/tasks/amavis.yml create mode 100644 roles/IMAP/tasks/spam.yml create mode 100644 roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 create mode 100644 roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 diff --git a/roles/IMAP/files/etc/amavis/conf.d/05-domain_id b/roles/IMAP/files/etc/amavis/conf.d/05-domain_id new file mode 100644 index 0000000..19f10ed --- /dev/null +++ b/roles/IMAP/files/etc/amavis/conf.d/05-domain_id @@ -0,0 +1,20 @@ +use strict; + +# $mydomain is used just for convenience in the config files and it is not +# used internally by amavisd-new except in the default X_HEADER_LINE (which +# Debian overrides by default anyway). + +$mydomain = "fripost.org"; + +# amavisd-new needs to know which email domains are to be considered local +# to the administrative domain. Only emails to "local" domains are subject +# to certain functionality, such as the addition of spam tags. +# +# Default local domains to $mydomain and all subdomains. Remember to +# override or redefine this if $mydomain is changed later in the config +# sequence. + +@local_domains_acl = ( ".$mydomain" ); +@local_domains_maps = ( ".$mydomain" ); + +1; # ensure a defined return diff --git a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf index 6ea944f..3a97841 100644 --- a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf +++ b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter_maps.cf @@ -3,6 +3,6 @@ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = base bind = none -query_filter = (&(ObjectClass=AmavisAccount)(fvl=%u)) +query_filter = (&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fvl=%u)) result_attribute = fvl -result_format = amavisfeed:unix:public/amavisfeed-contentfilter +result_format = amavisfeed:[127.0.0.1]:10041 diff --git a/roles/IMAP/files/etc/spamassassin/local.cf b/roles/IMAP/files/etc/spamassassin/local.cf new file mode 100644 index 0000000..8ae4a4b --- /dev/null +++ b/roles/IMAP/files/etc/spamassassin/local.cf @@ -0,0 +1,118 @@ +# This is the right place to customize your installation of SpamAssassin. +# +# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be +# tweaked. +# +# Only a small subset of options are listed below +# +########################################################################### + +# Add *****SPAM***** to the Subject header of spam e-mails +# +rewrite_header Subject [*****SPAM*****] + + +# Save spam messages as a message/rfc822 MIME attachment instead of +# modifying the original message (0: off, 2: use text/plain instead) +# +report_safe 0 + + +# Set which networks or hosts are considered 'trusted' by your mail +# server (i.e. not spammers) +# +# TODO: Unclear how to do with IPSec and dynamic IPs. +clear_trusted_networks +trusted_networks 192.168.122.2 192.168.122.3 + +clear_internal_networks +internal_networks 192.168.122.2 192.168.122.3 + + +# Set file-locking method (flock is not safe over NFS, but is faster) +# +lock_method flock + + +# Set the threshold at which a message is considered spam (default: 5.0) +# +required_score 5.0 + + +# Use Bayesian classifier (default: 1) +# +use_bayes 1 + + +# Bayesian classifier auto-learning (default: 1) +# +bayes_auto_learn 1 +bayes_auto_expire 0 + + +# Enable or disable network checks +# +# http://en.linuxreviews.org/Spam_blacklists +# The best bets are zen.spamhaus.org and bl.spamcop.net . +skip_rbl_checks 0 +use_razor2 1 +use_pyzor 0 +use_auto_whitelist 1 + +# http://www.spamtips.org/2011/01/disable-dnsfromahblrhsbl.html +score DNS_FROM_AHBL_RHSBL 0 +# http://www.spamtips.org/2011/01/disable-rfc-ignorantorg-rules.html +score __RFC_IGNORANT_ENVFROM 0 +score DNS_FROM_RFC_DSN 0 +score DNS_FROM_RFC_BOGUSMX 0 +score __DNS_FROM_RFC_POST 0 +score __DNS_FROM_RFC_ABUSE 0 +score __DNS_FROM_RFC_WHOIS 0 + +# Set headers which may provide inappropriate cues to the Bayesian +# classifier +# +# bayes_ignore_header X-Bogosity +# bayes_ignore_header X-Spam-Flag +# bayes_ignore_header X-Spam-Status + + +# Some shortcircuiting, if the plugin is enabled +# +ifplugin Mail::SpamAssassin::Plugin::Shortcircuit +# +# default: strongly-whitelisted mails are *really* whitelisted now, if the +# shortcircuiting plugin is active, causing early exit to save CPU load. +# Uncomment to turn this on +# +# shortcircuit USER_IN_WHITELIST on +# shortcircuit USER_IN_DEF_WHITELIST on +# shortcircuit USER_IN_ALL_SPAM_TO on +# shortcircuit SUBJECT_IN_WHITELIST on + +# the opposite; blacklisted mails can also save CPU +# +# shortcircuit USER_IN_BLACKLIST on +# shortcircuit USER_IN_BLACKLIST_TO on +# shortcircuit SUBJECT_IN_BLACKLIST on + +# if you have taken the time to correctly specify your "trusted_networks", +# this is another good way to save CPU +# +# shortcircuit ALL_TRUSTED on + +# and a well-trained bayes DB can save running rules, too +# +# shortcircuit BAYES_99 spam +# shortcircuit BAYES_00 ham + +endif # Mail::SpamAssassin::Plugin::Shortcircuit + + +bayes_store_module Mail::SpamAssassin::BayesStore::MySQL +bayes_sql_dsn DBI:mysql:spamassassin +bayes_sql_username amavis + +auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList +user_awl_dsn DBI:mysql:spamassassin +user_awl_sql_username amavis diff --git a/roles/IMAP/files/etc/spamassassin/v310.pre b/roles/IMAP/files/etc/spamassassin/v310.pre new file mode 100644 index 0000000..bff0bbf --- /dev/null +++ b/roles/IMAP/files/etc/spamassassin/v310.pre @@ -0,0 +1,78 @@ +# This is the right place to customize your installation of SpamAssassin. +# +# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be +# tweaked. +# +# This file was installed during the installation of SpamAssassin 3.1.0, +# and contains plugin loading commands for the new plugins added in that +# release. It will not be overwritten during future SpamAssassin installs, +# so you can modify it to enable some disabled-by-default plugins below, +# if you so wish. +# +# There are now multiple files read to enable plugins in the +# /etc/mail/spamassassin directory; previously only one, "init.pre" was +# read. Now both "init.pre", "v310.pre", and any other files ending in +# ".pre" will be read. As future releases are made, new plugins will be +# added to new files, named according to the release they're added in. +########################################################################### + +# DCC - perform DCC message checks. +# +# DCC is disabled here because it is not open source. See the DCC +# license for more details. +# +#loadplugin Mail::SpamAssassin::Plugin::DCC + +# Pyzor - perform Pyzor message checks. +# +loadplugin Mail::SpamAssassin::Plugin::Pyzor + +# Razor2 - perform Razor2 message checks. +# +loadplugin Mail::SpamAssassin::Plugin::Razor2 + +# SpamCop - perform SpamCop message reporting +# +loadplugin Mail::SpamAssassin::Plugin::SpamCop + +# AntiVirus - some simple anti-virus checks, this is not a replacement +# for an anti-virus filter like Clam AntiVirus +# +#loadplugin Mail::SpamAssassin::Plugin::AntiVirus + +# AWL - do auto-whitelist checks +# +loadplugin Mail::SpamAssassin::Plugin::AWL + +# AutoLearnThreshold - threshold-based discriminator for Bayes auto-learning +# +loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold + +# TextCat - language guesser +# +#loadplugin Mail::SpamAssassin::Plugin::TextCat + +# AccessDB - lookup from-addresses in access database +# +#loadplugin Mail::SpamAssassin::Plugin::AccessDB + +# WhitelistSubject - Whitelist/Blacklist certain subject regular expressions +# +loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject + +########################################################################### +# experimental plugins + +# DomainKeys - perform DomainKeys verification +# +# This plugin has been removed as of v3.3.0. Use the DKIM plugin instead, +# which supports both Domain Keys and DKIM. + +# MIMEHeader - apply regexp rules against MIME headers in the message +# +loadplugin Mail::SpamAssassin::Plugin::MIMEHeader + +# ReplaceTags +# +loadplugin Mail::SpamAssassin::Plugin::ReplaceTags + diff --git a/roles/IMAP/files/tmp/spamassassin.sql b/roles/IMAP/files/tmp/spamassassin.sql new file mode 100644 index 0000000..ed2e641 --- /dev/null +++ b/roles/IMAP/files/tmp/spamassassin.sql @@ -0,0 +1,57 @@ +-- Sources: https://svn.apache.org/repos/asf/spamassassin/trunk/sql/awl_mysql.sql +-- https://svn.apache.org/repos/asf/spamassassin/trunk/sql/bayes_mysql.sql + +CREATE TABLE awl ( + username VARCHAR(100) NOT NULL DEFAULT '', + email VARBINARY(255) NOT NULL DEFAULT '', + ip VARCHAR(40) NOT NULL DEFAULT '', + count INT(11) NOT NULL DEFAULT 0, + totscore FLOAT NOT NULL DEFAULT 0, + signedby VARCHAR(255) NOT NULL DEFAULT '', + PRIMARY KEY (username,email,signedby,ip) +) ENGINE=InnoDB; + +CREATE TABLE bayes_expire ( + id INT(11) NOT NULL DEFAULT 0, + runtime INT(11) NOT NULL DEFAULT 0, + KEY bayes_expire_idx1 (id) +) ENGINE=InnoDB; + +CREATE TABLE bayes_global_vars ( + variable VARCHAR(30) NOT NULL default '', + value VARCHAR(200) NOT NULL default '', + PRIMARY KEY (variable) +) ENGINE=InnoDB; +INSERT INTO bayes_global_vars VALUES ('VERSION','3'); + +CREATE TABLE bayes_seen ( + id INT(11) NOT NULL DEFAULT 0, + msgid VARCHAR(200) BINARY NOT NULL DEFAULT '', + flag CHAR(1) NOT NULL DEFAULT '', + PRIMARY KEY (id,msgid) +) ENGINE=InnoDB; + +CREATE TABLE bayes_token ( + id INT(11) NOT NULL DEFAULT 0, + token BINARY(5) NOT NULL DEFAULT '', + spam_count INT(11) NOT NULL DEFAULT 0, + ham_count INT(11) NOT NULL DEFAULT 0, + atime INT(11) NOT NULL DEFAULT 0, + PRIMARY KEY (id, token), + INDEX bayes_token_idx1 (id, atime) +) ENGINE=InnoDB; + +CREATE TABLE bayes_vars ( + id INT(11) NOT NULL AUTO_INCREMENT, + username VARCHAR(200) NOT NULL DEFAULT '', + spam_count INT(11) NOT NULL DEFAULT 0, + ham_count INT(11) NOT NULL DEFAULT 0, + token_count INT(11) NOT NULL DEFAULT 0, + last_expire INT(11) NOT NULL DEFAULT 0, + last_atime_delta INT(11) NOT NULL DEFAULT 0, + last_expire_reduce INT(11) NOT NULL DEFAULT 0, + oldest_token_age INT(11) NOT NULL DEFAULT 2147483647, + newest_token_age INT(11) NOT NULL DEFAULT 0, + PRIMARY KEY (id), + UNIQUE bayes_vars_idx1 (username) +) ENGINE=InnoDB; diff --git a/roles/IMAP/handlers/main.yml b/roles/IMAP/handlers/main.yml index 2e54251..9bd7dab 100644 --- a/roles/IMAP/handlers/main.yml +++ b/roles/IMAP/handlers/main.yml @@ -7,3 +7,22 @@ - name: Reload Postfix service: name=postfix state=reloaded + +- name: Restart ClamAV + service: name=clamav-daemon state=restarted + +- name: Restart Amavis + service: name=amavis state=restarted + +- name: Copy SQL tables for spamassassin + copy: src=tmp/spamassassin.sql + dest=/tmp/spamassassin.sql + owner=root group=root + mode=0600 + +- name: Create SQL tables for spamassassin + # see https://svn.apache.org/repos/asf/spamassassin/trunk/sql/ + # for the original + mysql_db: name=spamassassin state=import + target=/tmp/spamassassin.sql + encoding=latin1 collation=latin1_unicode_ci diff --git a/roles/IMAP/tasks/amavis.yml b/roles/IMAP/tasks/amavis.yml new file mode 100644 index 0000000..6f47328 --- /dev/null +++ b/roles/IMAP/tasks/amavis.yml @@ -0,0 +1,56 @@ +- name: Install amavis and its decoders + apt: pkg={{ item }} + with_items: + - amavisd-new + - libnet-ldap-perl + - libauthen-sasl-perl + - gzip + - bzip2 + - xz-utils + - lzop + - rpm2cpio + - pax + - binutils + - p7zip-full + - unrar-free + - arj + - nomarch + - zoo + - ripole + - cabextract + - unar + - tnef + notify: + - Restart Amavis + +- name: Add 'clamav' to the group 'amavis' + user: name=clamav groups=amavis append=yes + register: r1 + notify: + - Restart ClamAV + - Restart Amavis + +- name: Configure Amavis (1) + copy: src=etc/amavis/conf.d/05-domain_id + dest=/etc/amavis/conf.d/05-domain_id + owner=root group=root + mode=0644 + register: r2 + notify: + - Restart Amavis + +- name: Configure Amavis (2) + template: src=etc/amavis/conf.d/{{ item }}.j2 + dest=/etc/amavis/conf.d/{{ item }} + owner=root group=root + mode=0644 + register: r3 + with_items: + - 15-content_filter_mode + - 50-user + notify: + - Restart Amavis + +- name: Start Amavis + service: name=amavis state=started + when: not (r1.changed or r2.changed or r3.changed) diff --git a/roles/IMAP/tasks/main.yml b/roles/IMAP/tasks/main.yml index df21dd2..b43f9fb 100644 --- a/roles/IMAP/tasks/main.yml +++ b/roles/IMAP/tasks/main.yml @@ -1,3 +1,5 @@ --- - include: imap.yml tags=imap,dovecot - include: mda.yml tags=mda,mail,postfix +- include: amavis.yml tags=amavis +- include: spam.yml tags=spam,spamassassin diff --git a/roles/IMAP/tasks/spam.yml b/roles/IMAP/tasks/spam.yml new file mode 100644 index 0000000..d326656 --- /dev/null +++ b/roles/IMAP/tasks/spam.yml @@ -0,0 +1,51 @@ +- name: Install spamassassin + apt: pkg={{ item }} + with_items: + - razor + - spamassassin + - spamc + - libdbi-perl + notify: + - Restart Amavis + +- name: Create a 'spamassassin' database + mysql_db: name=spamassassin state=present + encoding=latin1 collation=latin1_general_ci + notify: + - Copy SQL tables for spamassassin + - Create SQL tables for spamassassin + +- meta: flush_handlers + +- name: Copy SpamAssassin's configuration + copy: src=etc/{{ item }} + dest=/etc/{{ item }} + owner=root group=root + mode=0644 + with_items: + - spamassassin/local.cf + - spamassassin/v310.pre + notify: + - Restart Amavis + +- name: Ensure SpamAssassin is not auto-started at boot time + lineinfile: dest=/etc/default/spamassassin + regexp='^(\s*#)?\s*ENABLED=' + line='ENABLED=0' + owner=root group=root + mode=0644 + +- name: Create a 'amavis' SQL user + # This *must* be the user we run spamd as + # See https://svn.apache.org/repos/asf/spamassassin/trunk/sql/README.bayes + mysql_user: > + name=amavis auth_plugin=auth_socket + priv="spamassassin.awl: SELECT,INSERT,UPDATE,DELETE + /spamassassin.bayes_seen: SELECT,INSERT, DELETE + /spamassassin.bayes_token: SELECT,INSERT,UPDATE,DELETE + /spamassassin.bayes_global_vars: SELECT + /spamassassin.bayes_vars: SELECT,INSERT,UPDATE,DELETE + /spamassassin.bayes_expire: SELECT,INSERT, DELETE" + state=present + notify: + - Restart Amavis diff --git a/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 b/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 new file mode 100644 index 0000000..cde0452 --- /dev/null +++ b/roles/IMAP/templates/etc/amavis/conf.d/15-content_filter_mode.j2 @@ -0,0 +1,29 @@ +use strict; + +# You can modify this file to re-enable SPAM checking through spamassassin +# and to re-enable antivirus checking. + +# +# Default antivirus checking mode +# Please note, that anti-virus checking is DISABLED by +# default. +# If You wish to enable it, please uncomment the following lines: + + +@bypass_virus_checks_maps = ( + \%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re); + + +# +# Default SPAM checking mode +# Please note, that anti-spam checking is DISABLED by +# default. +# If You wish to enable it, please uncomment the following lines: + + +{% if 'MDA' in group_names -%} +@bypass_spam_checks_maps = ( + \%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re); +{% endif %} + +1; # ensure a defined return diff --git a/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 new file mode 100644 index 0000000..7d412f8 --- /dev/null +++ b/roles/IMAP/templates/etc/amavis/conf.d/50-user.j2 @@ -0,0 +1,135 @@ +use strict; + +# +# Place your configuration directives here. They will override those in +# earlier files. +# +# See /usr/share/doc/amavisd-new/ for documentation and examples of +# the directives you can use in this file +# + +# $max_servers: num of pre-forked children (2..30 is common). It *must* +# match the number set in /etc/postfix/master.cf "maxproc" column for +# the amavisfeed service. +$max_servers = 2; + +# list your internal networks +@mynetworks = qw( 127.0.0.0/8 172.16.0.1/32 ); + + +# Always deliver messages (force *_lovers_maps to [1]) +$final_virus_destiny = D_PASS; +$final_banned_destiny = D_PASS; +$final_unchecked_destiny = D_PASS; +$final_spam_destiny = D_PASS; +$final_bad_header_destiny = D_PASS; +$final_destiny_by_ccat{&CC_OVERSIZED} = D_PASS; + +%lovers_maps_by_ccat = ( + CC_CATCHALL, 1, +); + + +# Disable quarantine (force *_quarantine_to_maps to [1]; don't forget to +# disable setting amavisSpamQuarantineCutoffLevel and amavisVirusQuarantine*To, +# also) +$QUARANTINEDIR = undef; +%quarantine_method_by_ccat = ( + CC_CATCHALL, undef, +); +%admin_maps_by_ccat = ( + CC_CATCHALL, undef, +); + +undef $undecipherable_subject_tag; + +# Defang virus only +%defang_maps_by_ccat = ( + CC_VIRUS, 1, + CC_CATCHALL, undef, +); + +# Never BCC / DSN; don't forget to disallow setting amavisSpamDsnCutoffLevel +# and amavis*Admin, also +%always_bcc_by_ccat = ( + CC_CATCHALL, undef, +); +%dsn_bcc_by_ccat = ( + CC_CATCHALL, undef, +); + +# Never warn sender / recipient; don't forget to disallow setting +# amavisWarn*Recip, also +%warnsender_by_ccat = ( # deprecated use, except perhaps for CC_BADH + CC_CATCHALL, undef, +); +%warnrecip_maps_by_ccat = ( + CC_CATCHALL, undef, +); + +@message_size_limit_maps = (); # per-recipient limits + + +%banned_rules = ( + 'NO-MS-EXEC'=> new_RE( qr'^\.exe-ms$' ), + 'PASSALL' => new_RE( [qr'^' => 0] ), + 'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ), + 'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ), +); + + +$enable_ldap = 1; +$default_ldap = { + hostname => 'ldapi://', + sasl => 1, + sasl_mech => 'EXTERNAL', + deref => 'never', + timeout => 5, + scope => 'one', + base => 'fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org', + # XXX: ideally we would use %u in the base and the query_filter, but + # it's not supported as of amavis 2.7 (see the 'lookup_ldap' + # subroutine in /usr/sbin/amavisd-new) + query_filter => '(&(objectClass=amavisAccount)(ObjectClass=FripostVirtualUser)(fvl=%m))' +}; + + +$recipient_delimiter = '+'; +$enable_dkim_verification = 1; # enable DKIM signatures verification + + +# Per-recipient Bayes Database. +@sa_username_maps = ( + new_RE ( [ qr'^(.+@[^@]+)$'i => '$1' ] ), + 'amavis' # catch-all +); + +# http://www.ijs.si/software/amavisd/amavisd-new-docs.html#pbanks-ex + +$inet_socket_port = 10041; + +$interface_policy{'10041'} = 'INBOUND'; + +{% if 'MTA-out' in group_names %} +$notify_method = 'smtp:[127.0.0.1]:{{ MTA_out.port }}'; +{% else %} +$notify_method = 'smtp:[{{ MTA_out.IPv4 }}]:{{ MTA_out.port }}'; +{% endif %} +$forward_method = 'lmtp:/var/run/dovecot/lmtp'; +$requeue_method = $forward_method; + +$sa_tag_level_deflt = undef; +$sa_tag2_level_deflt = 5; +$sa_kill_level_deflt = 5; +$sa_dsn_cutoff_level = undef; +$sa_quarantine_cutoff_level = undef; + +$policy_bank{'INBOUND'} = { + originating => 0, # indicates a remote client, allows checking + smtpd_greeting_banner => + '${helo-name} ${protocol} ${product} INBOUND service ready', + mynetworks_maps => [], # avoids loading MYNETS policy unnecessarily +}; + +#------------ Do not modify anything below this line ------------- +1; # ensure a defined return diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2 index 1fb2fcc..2ccbe6a 100644 --- a/roles/IMAP/templates/etc/postfix/main.cf.j2 +++ b/roles/IMAP/templates/etc/postfix/main.cf.j2 @@ -50,9 +50,10 @@ default_transport = error:5.1.1 Transport unavailable # Virtual transport (the alias resolution is already done by the MX:es) virtual_transport = lmtp:unix:private/dovecot-lmtpd +lmtp_bind_address = 127.0.0.1 virtual_mailbox_domains = ldap:$config_directory/virtual/mailbox_domains.cf virtual_mailbox_maps = ldap:$config_directory/virtual/mailbox_maps.cf -mailbox_transport_maps = ldap:$config_directory/virtual/transport_content_filter_maps.cf +transport_maps = ldap:$config_directory/virtual/transport_content_filter_maps.cf # Don't rewrite remote headers local_header_rewrite_clients = diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index 06eb692..5c993fc 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -53,19 +53,32 @@ owner=root group=root mode=0600 -- name: Copy fripost schema - copy: src=etc/ldap/schema/fripost.ldif - dest=/etc/ldap/schema/fripost.ldif +- name: Copy fripost & amavis' schema + copy: src=etc/ldap/schema/{{ item }} + dest=/etc/ldap/schema/{{ item }} owner=root group=root mode=0644 + # It'd certainly be nicer if we didn't have to deploy amavis' schema + # everywhere, but we need the 'objectClass' in our replicates, hence + # they need to be aware of the 'amavisAccount' class. + with_items: + - fripost.ldif + - amavis.schema + tags: + - amavis - name: Load fripost's schema and configure the database openldap: target=/etc/ldap/{{ item }} state=present with_items: - schema/fripost.ldif - # TODO load other required schemas *before* loading the database - fripost/database.ldif +- name: Load amavis' schema + openldap: target=/etc/ldap/schema/amavis.schema state=present + format=slapd.conf name=amavis + tags: + - ldap + - name: Start slapd service: name=slapd state=started when: not (r1.changed or r2.changed) diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index cf12f10..f76eb78 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -73,7 +73,13 @@ olcDbIndex: entryCSN,entryUUID eq # - http://www.openldap.org/doc/admin24/replication.html#Syncrepl # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap # -{% if 'LDAP-provider' not in group_names %} +{% if 'LDAP-provider' in group_names %} +olcLimits: dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" + time.soft=unlimited + time.hard=unlimited + size.soft=unlimited + size.hard=unlimited +{% elif 'MX' in group_names %} olcSyncrepl: rid=000 provider=ldap://{{ LDAP_provider }} type=refreshAndPersist @@ -129,6 +135,20 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd by users =0 break # +# The following is required for the content filter +{% if 'MDA' in group_names %} +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" + attrs=entry + filter=(&(objectClass=FripostVirtualDomain)(fripostIsStatusActive=TRUE)) + by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =s + by users =0 break +olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" + attrs=entry,objectClass,fvl,@AmavisAccount + filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)) + by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =rsd + by users =0 break +{% endif %} +# # Anonymous can authenticate into the services. (But not read or write the password.) olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org" attrs=userPassword -- cgit v1.2.3